Xero unaffected by OpenSSL issue

A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the internet, as well as by a small number of services that Xero uses. Xero has in no way been affected, and your data is safe. More information is available at the OpenSSL page which includes the Security Advisory.

The researchers who discovered this issue have given it the dramatic name of “Heartbleed”, which you may also see referenced in some news articles.

Steps Xero has taken

Any time there is a potential threat to Xero, we conduct a Security Incident process which includes investigating the potential impact to Xero and our customers.

The immediate step we took was to evaluate which Xero systems use OpenSSL, and whether they used the affected version. The majority of our environment does not use OpenSSL as we run predominantly Microsoft technologies. The sweep of our environment showed no servers or sites running the affected versions.

The second step was to evaluate which external systems we, or direct customers, use that may be vulnerable. The only vulnerable site identified was our Australian Partner ‘Toolkit’, which stores no customer data and does not allow users to log in. Our third-party hoster for that environment is August, and they admirably patched the issue within 30 minutes, for which we thank them. The Xero Toolkit site is no longer vulnerable.

As stated above, we have no reason to believe that any of Xero’s environment is affected by this OpenSSL issue. We count ourselves lucky in this case, as a lot of other SaaS providers haven’t been as fortunate.

What you can do

Even though your Xero account is not affected, it is good practice to regularly change your passwords that you use online, and to use a different password for each site that you use.

To protect you from other sites that you use being compromised, consider changing all your passwords for important services now, while it’s at the front of your mind.

To manage multiple passwords for different websites, so that you don’t have to remember them all, we recommend the use of a password manager such as KeePass.

What we will do next

While we don’t have any immediate actions needed to protect our users, we are looking at whether there are any further steps we can take to add additional protection. I’ll update this post later with any action we take as an outcome of this threat.

If you have any questions, please do not hesitate to contact me (Security Officer, Xero) via our support channel (support@xero.com).

20 comments

Benny

April 9, 2014 at 7.35 pm

“A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the internet”

OpenSSL is not used by two thirds of the Internet. You seem to be confused about market share of Apache+nginx. It’s still amazing that security of significant portion of the Internet is in hands of less than dozen of part-time developers.

Hi @Kerry, we became aware of it early Monday morning NZ time, around the same time the rest of the internet heard about it. A couple of large companies were involved with the security researchers co-ordinating the security fixes and disclosure process, but they did not make the issue public until yesterday.

I’m going to take this opportunity to promote the Two Factor authentication discussion here: https://community.xero.com/business/discussion/1386112. I have this activated on almost ALL of my online accounts but for some reason Xero has been unwilling or unable to set it up. Guys, please… this would give us a huge feature to help protect our financial data from being attacked.

I hear you and agree. We do plan to do it, and will keep that thread updated with our progress.

Interestingly, I don’t think 2FA would necessarily protect you against these OpenSSL issues, as the vulnerability was wider in scope than just the authentication process between a browser and web server. Still very desirable to have 2FA for other reasons, of course.

I will also add that we support Google login into Xero, which includes 2FA if you have it switched on – so if you use that mechanism to log in to Xero, you can use your regular Google Authenticator.

@xero Thanks for the heads up. It wasnt until I saw your blog post that I heard about this. It was only after that, that I started seeing other information about this issue being made known.

One of the articles that I have read is that until you receive advice from your relevant software provider that they have resolved the issue (or are not affected by it as Xero have indicated), is that changing passwords is useless, as they will still be subject to the vulnerability.

However, if you use the same password on all the services you use across the internet, I’d recommend that now is a good time to pro-actively change your password on each service to something unique to that service. That means that if your password was breached on one site, at least all the other services you use on the internet won’t be able to be accessed with that password.

Here’s a link to our help that will guide you through setting up Google SSO. Once you’ve done that, you can change your Xero password to something complex, and store it in your password safe, and never need to use it again.

Thank you for the update. Quick question: We accept payments through online invoicing and Stripe integration. I noticed that Stripe may have been affected. It’s my understanding that the communication between Stripe payments on our online invoicing is channeled through Xero’s SSL and not Stripe’s, so it shouldn’t be an issue. But, could someone please confirm how that integration works exactly? A few of our clients are asking about our payment systems, and I’d like to follow Xero’s lead and write a quick blog post about it on our website.

The user opens the Xero online invoicing link in their browser and views the invoice.
If they choose to pay, javascript in their browser communicates their credit card details directly from their browser to Stripe. All Xero’s server see is the token that Stripe returns in response, which indicates success or failure.